5.6.3 Automation Attacks Pretending to be an End-user

The problem of knowing whether a system is controlled by a human being or not is a serious vulnerability in Web 2.0. The ability to automate a process which is generally believed to be controlled by a human being can allow attackers to abuse trust and circumvent controls to prevent access via brute force attacks. Examples of attacks of this nature are: 1. One of the main defences against unwanted automation is a CAPTCHA – an image with text which has been rendered in such a way that it is difficult for a software program to read but is readable with reasonable ease by a human being. It is used to protect systems such as messaging and account creation which should not be automatable. Various high-profile attacks on CAPTCHAs have highlighted the vulnerability of such systems. For examples, see Yahoo’s CAPTCHA Security Reportedly Broken 54, and Spammers crack Gmail CAPTCHAs 55. The ability to break a CAPTCHA or other anti-automation techniques such as filtering opens up the possibility of spamming, Sybil attacks on reputation systems 40, and infiltration of social networks, as well as harvesting personal data. For example, Friendbot 56 allows the creation of automatic ‘Friends’ on MySpace which allows the controller to send spam, harvest personal data, etc. Future trends could also include tools to automate the creation of online personas across distributed sets of evidence blogs, forums, etc for the purpose of fraud or political gain – see Investigating individuals and organisations using open source intelligence 57. 2. Social engineering using autonomous chat agents where individuals engage the bot as if it were a real person and divulge sensitive information 58 59. 3. Automation that solicits humans to solve CAPTCHAs as part of an attack 60.

5.7 General Software and Scripting Vulnerabilities

This section relates to vulnerabilities in software not including access control and authorisation. We do not discuss general vulnerabilities of infrastructures such as networks and web servers which affect Web 2.0 applications in the same ways as any other web application.

5.7.1 Vulnerabilities on Web-enabled Devices

A wide number of devices are web-enabled and run de-facto web servers, even though we may not think of them as such. One example along these lines is home broadband routers. Because these devices are web enabled, there is a risk that they are vulnerable to Web 2.0 based attacks, such as cross-site request forgeries CSRF. One type of attack that was discovered along these lines is drive-by pharming 61. In a drive-by pharming attack, an attacker can include a specific piece of HTML code on a web page or even email message. When the code is rendered on the victim’s machine, it surreptitiously logs into the victims home broadband router and modifies its DNS settings. The attacker can either specify an entirely different DNS server than the one the victim was using before or the attacker may simply modify specific host to IP mappings such as those associated with the victim’s bank. This particular threat has actually been observed in the wild. In a particular case, victims in Mexico were being targeted and the specific router model was associated with one provided by a large Mexican ISP. The attacker’s HTTP request to the victim’s router modified the host to the IP address mapping of a large Mexican bank. Another interesting class of Web 2.0 specific vulnerability affecting infrastructure is the possibility of port-scanning using XMLHttpRequest XHR. For example, Online port scanner 62 offers a legitimate, consent-based service for vulnerability testing including an XHR based online port scan test. Web 2.0 Security and Privacy 31